MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
SHA3-384 hash: 441e43791c09803090522e58b19aa182b9e80c43b9ca48f3db77fc1fc3aab3febaf324037e775723e146e02b8b1b6493
SHA1 hash: bfe5f9b94081c25827e2bc90bb39a8c701033519
MD5 hash: b0a84e4330a9c00c57d3a3e7885f7946
humanhash: kilo-winner-uranus-eight
File name:WinUIUpdate.exe
Download: download sample
File size:3'908'096 bytes
First seen:2023-03-20 11:58:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c24ea937b2b0d62e829e8a8faeff5a8d (26 x CoinMiner, 1 x CoinMiner.XMRig)
ssdeep 98304:xGUMWoCIILMDNCl6b54+TUyscvBDw4pn:AGosIslo46UF8
Threatray 2'329 similar samples on MalwareBazaar
TLSH T18E0623C965534C9DC0294837D26FFBA76CD0702224169CF685AAE6631C6D7F3AAF8331
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter 0xToxin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
Office-AddInHelper.exe
Verdict:
Malicious activity
Analysis date:
2023-03-20 12:25:24 UTC
Tags:
trojan amadey
Link:
https://app.any.run/tasks/8a9f5f16-72fd-484e-98c2-6c0c1b8e3e5b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/375918/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Creating a file in the Windows subdirectories
Possible injection to a system process
Changing the hosts file
Enabling autorun by creating a file
Unauthorized injection to a system process
Using obfuscated Powershell scripts
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/74268/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/64184a8ac60b3295f52c131d/reports/5d2a835a-5dc3-4257-bbbe-2800e16585aa/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/47d29999-0344-44c0-871a-42a9ff547f4f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1197494
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Found hidden mapped module (file has been removed from disk)
Found stalling execution ending in API Sleep call
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Obfuscated command line found
Opens the same file many times (likely Sandbox evasion)
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 830396 Sample: WinUIUpdate.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 59 Antivirus detection for dropped file 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Obfuscated command line found 2->63 65 5 other signatures 2->65 7 powershell.exe 6 2->7         started        10 WinUIUpdate.exe 4 2->10         started        13 cmd.exe 2->13         started        15 4 other processes 2->15 process3 file4 69 Writes to foreign memory regions 7->69 71 Modifies the context of a thread in another process (thread injection) 7->71 73 Injects a PE file into a foreign processes 7->73 17 dllhost.exe 1 7->17         started        45 C:\Users\user\AppData\Local\...\qfatpzoi.tmp, PE32+ 10->45 dropped 47 C:\Program Filesbehaviorgraphoogle\...\chromeupdater.exe, PE32+ 10->47 dropped 49 C:\Windows\System32\drivers\etc\hosts, ASCII 10->49 dropped 75 Modifies the hosts file 10->75 77 Found hidden mapped module (file has been removed from disk) 10->77 79 Adds a directory exclusion to Windows Defender 10->79 81 Maps a DLL or memory area into another process 10->81 20 dialer.exe 2 10->20         started        83 Uses cmd line tools excessively to alter registry or file data 13->83 85 Uses powercfg.exe to modify the power settings 13->85 87 Modifies power options to not sleep / hibernate 13->87 22 reg.exe 13->22         started        24 reg.exe 13->24         started        26 reg.exe 13->26         started        32 7 other processes 13->32 89 Uses schtasks.exe or at.exe to add and modify task schedules 15->89 28 schtasks.exe 15->28         started        30 powercfg.exe 15->30         started        34 3 other processes 15->34 signatures5 process6 signatures7 51 Found stalling execution ending in API Sleep call 17->51 53 Injects code into the Windows Explorer (explorer.exe) 17->53 55 Contains functionality to inject code into remote processes 17->55 57 4 other signatures 17->57 36 svchost.exe 17->36 injected 39 lsm.exe 17->39 injected 41 winlogon.exe 17->41 injected 43 18 other processes 17->43 process8 signatures9 67 Opens the same file many times (likely Sandbox evasion) 36->67
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-20 11:59:10 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mmqlic2ibg6xchtkkdxlvthgvri5hs5zf6cnizyrn54urhdgrica._file
Verdict:
malicious
Similar samples:
211abb138fdb4df615ae9d97a39fd06c29d7140da2ea5192ab92b6ec94e0cd61
4d7de57abd009b6bc6e16e3a135d19788b576bc67c75d697ba77f297453fe1fa
50c2bec0fbc955824b6b2648d30fc42a5fc64994411fdb6026f560d0aa8e178e
84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f
8af00bf775390ea0d90e5d0db1d6ea1149d8a2da3e024948d3a4dce7b11f3237
8bd2ae95df444e91d6f69cd4b8555928e8f456afd7cab4cbdf04949835296ff3
cde83c58766ae18bd516cfa78098c411fd1d0ebff083896f35fc33b10afa0e50
dcdf6845df1e1aed6f335dd6f2a3ff7351984522235937e5c4a1c746c7fe4371
eab9a40c5379d460e7d5f3d11c2b766ce8674c2240110e063fecb0c651e0dd67
ef1cb9555d780addb510d052b41f070dbdeb931c3f916bf345a419a4d437a167
+ 2'319 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion
Link:
https://tria.ge/reports/230320-n5qgmsfd51/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Drivers directory
Stops running service(s)
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
MD5 hash:
b0a84e4330a9c00c57d3a3e7885f7946
SHA1 hash:
bfe5f9b94081c25827e2bc90bb39a8c701033519
Link:
https://www.unpac.me/results/a4320b14-08f5-41ec-85e7-728cc3811282/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6320b40b4809/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/375918/
  
URLhaus
https://urlhaus.abuse.ch/url/2578526/
  
Delivery method
Distributed via web download

Comments